X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/62962a470d48dd14ebcd39f1de37504abd2f77b5..146192d5b01329bd8e5dfbf4045efded467151e0:/IkiWiki/Plugin/git.pm?ds=inline diff --git a/IkiWiki/Plugin/git.pm b/IkiWiki/Plugin/git.pm index 1facb14c0..5bef92856 100644 --- a/IkiWiki/Plugin/git.pm +++ b/IkiWiki/Plugin/git.pm @@ -9,6 +9,7 @@ use open qw{:utf8 :std}; my $sha1_pattern = qr/[0-9a-fA-F]{40}/; # pattern to validate Git sha1sums my $dummy_commit_msg = 'dummy commit'; # message to skip in recent changes +my $no_chdir=0; sub import { #{{{ hook(type => "checkconfig", id => "git", call => \&checkconfig); @@ -23,7 +24,7 @@ sub import { #{{{ hook(type => "rcs", id => "rcs_recentchanges", call => \&rcs_recentchanges); hook(type => "rcs", id => "rcs_diff", call => \&rcs_diff); hook(type => "rcs", id => "rcs_getctime", call => \&rcs_getctime); - hook(type => "rcs", id => "rcs_test_receive", call => \&rcs_test_receive); + hook(type => "rcs", id => "rcs_receive", call => \&rcs_receive); } #}}} sub checkconfig () { #{{{ @@ -45,7 +46,7 @@ sub checkconfig () { #{{{ push @{$config{wrappers}}, { test_receive => 1, wrapper => $config{git_test_receive_wrapper}, - wrappermode => "0755", + wrappermode => (defined $config{git_wrappermode} ? $config{git_wrappermode} : "06755"), }; } } #}}} @@ -77,7 +78,7 @@ sub getsetup () { #{{{ safe => 0, # file rebuild => 0, }, - git_untrusted_committers => { + untrusted_committers => { type => "string", example => [], description => "unix users whose commits should be checked by the pre-receive hook", @@ -127,8 +128,10 @@ sub safe_git (&@) { #{{{ if (!$pid) { # In child. # Git commands want to be in wc. - chdir $config{srcdir} - or error("Cannot chdir to $config{srcdir}: $!"); + if (! $no_chdir) { + chdir $config{srcdir} + or error("Cannot chdir to $config{srcdir}: $!"); + } exec @cmdline or error("Cannot exec '@cmdline': $!"); } # In parent. @@ -362,8 +365,10 @@ sub git_commit_info ($;$) { #{{{ # starting from the given sha1sum. my ($sha1, $num) = @_; - my @raw_lines = run_or_die('git', 'log', - (defined $num ? "--max-count=$num" : ""), + my @opts; + push @opts, "--max-count=$num" if defined $num; + + my @raw_lines = run_or_die('git', 'log', @opts, '--pretty=raw', '--raw', '--abbrev=40', '--always', '-c', '-r', $sha1, '--', '.'); my ($prefix) = run_or_die('git', 'rev-parse', '--show-prefix'); @@ -588,15 +593,7 @@ sub rcs_getctime ($) { #{{{ return $ctime; } #}}} -sub rcs_test_receive () { #{{{ - # quick success if the user is trusted - my $committer=(getpwuid($<))[0]; - if (! defined $committer) { - error("cannot determine username for $<"); - } - exit 0 if ! ref $config{git_untrusted_committers} || - ! grep { $_ eq $committer } @{$config{git_untrusted_committers}}; - +sub rcs_receive () { #{{{ # The wiki may not be the only thing in the git repo. # Determine if it is in a subdirectory by examining the srcdir, # and its parents, looking for the .git directory. @@ -610,54 +607,83 @@ sub rcs_test_receive () { #{{{ } } - my @errors; + my @rets; while (<>) { chomp; my ($oldrev, $newrev, $refname) = split(' ', $_, 3); - + # only allow changes to gitmaster_branch if ($refname !~ /^refs\/heads\/\Q$config{gitmaster_branch}\E$/) { - push @errors, sprintf(gettext("you are not allowed to change %s"), $refname); + error sprintf(gettext("you are not allowed to change %s"), $refname); } - - foreach my $ci (git_commit_info($oldrev."..".$newrev)) { + + # Avoid chdir when running git here, because the changes + # are in the master git repo, not the srcdir repo. + # The pre-recieve hook already puts us in the right place. + $no_chdir=1; + my @changes=git_commit_info($oldrev."..".$newrev); + $no_chdir=0; + + foreach my $ci (@changes) { foreach my $detail (@{ $ci->{'details'} }) { my $file = $detail->{'file'}; - # check that all changed files are in the subdir + # check that all changed files are in the + # subdir if (length $subdir && ! ($file =~ s/^\Q$subdir\E//)) { - push @errors, sprintf(gettext("you are not allowed to change %s"), $file); - next; + error sprintf(gettext("you are not allowed to change %s"), $file); } - if ($detail->{'mode_from'} ne $detail->{'mode_to'}) { - push @errors, gettext("you are not allowed to change file modes"); + my ($action, $mode, $path); + if ($detail->{'status'} =~ /^[M]+\d*$/) { + $action="change"; + $mode=$detail->{'mode_to'}; } - - if ($detail->{'status'} =~ /^D+\d*/) { - # TODO check_canremove + elsif ($detail->{'status'} =~ /^[AM]+\d*$/) { + $action="add"; + $mode=$detail->{'mode_to'}; } - elsif ($detail->{'status'} !~ /^[MA]+\d*$/) { - push @errors, "unknown status ".$detail->{'status'}; + elsif ($detail->{'status'} =~ /^[DAM]+\d*/) { + $action="remove"; + $mode=$detail->{'mode_from'}; } else { - # TODO check_canedit - # TODO check_canattach + error "unknown status ".$detail->{'status'}; + } + + # test that the file mode is ok + if ($mode !~ /^100[64][64][64]$/) { + error sprintf(gettext("you cannot act on a file with mode %s"), $mode); + } + if ($action eq "change") { + if ($detail->{'mode_from'} ne $detail->{'mode_to'}) { + error gettext("you are not allowed to change file modes"); + } } + + # extract attachment to temp file + if (($action eq 'add' || $action eq 'change') && + ! pagetype($file)) { + eval q{use File::Temp}; + die $@ if $@; + my $fh; + ($fh, $path)=File::Temp::tempfile("XXXXXXXXXX", UNLINK => 1); + if (system("git show ".$detail->{sha1_to}." > '$path'") != 0) { + error("failed writing temp file"); + } + } + + push @rets, { + file => $file, + action => $action, + path => $path, + }; } } } - if (@errors) { - # TODO clean up objects from failed push - - print STDERR "$_\n" foreach @errors; - exit 1; - } - else { - exit 0; - } + return reverse @rets; } #}}} 1